1

Question : Is there any way I could move/copy mount from one namespace to another?

Explanation: I would like to mount directory which didn't exist when container was created.

  1. I am creating container. It gets it own copy of host mount namespace
  2. Host creates some SourceDirectory
  3. Inside host I am bind mounting (with shared option enabled) SourceDirectory into /container_rootfs/tempDirectory
  4. Inside container I would like to read/write file to /tempDirectory so it gets to SourceDirectory

Step 4. is not working because on step 3 shared bind mount is only shared for the current host mount namespace, and container namespace was already "split" before. I get /tempDirectory like I wouldn't done step 3 at all.

If directory existed and the mount was made before creating container (so operation order from numbered list above 2 > 3 > 1 > 4) then everything works just fine as now container has mount namespace copied after my additional bind mount was created. And saving to /tempDirectory gets transferred to SourceDirectory.

So my question is - If there is any way that I could move/copy mount from one namespace (mine host mount namespace) to another (container mount namespace)?

If that is relevant (which I don't think so) I am using crun for containers.

Improve this question
0

1 Answer 1

Reset to default
2

I'm not aware of a way to retrospectively copy or move an existing mount, but...

You can execute the mount --bind command directly in the container's namespace with nsenter.

You must identify the pid (process id) for a process running in the container. You can use any process in the container as long as you can find it.

  • I'll draw your attention to the --pid-file option in crun.
  • Failing that you may need to use ps -ef to search for a process running in the container. Remember that the container may be in a pid namespace and give different pids inside the container to those of the host. You need the pid as seen by the host.

Assuming your containerised process has pid 4321 you should be able to mount using:

nsenter -mt 4321 mount --bind SourceDirectory /container_rootfs/

To experiment with nsenter I suggest that you try it out with an interactive command line first. If the pid for your containerised process is 4321 use:

nsenter -mt 4321 /bin/bash

Remember that there is a difference between a mount namespace and chroot. Your containerised processes will have been put in its own mount namespace but will also have been chrooted. Depending on the way this was done nsenter may or may not result in a chroot as well.

If you did mount SourceDirectory after the container was started, if it's not mounted at all in your container's namespace then it may be possible to mount it in the way you did before...

From what I read it is allowable to mount a partition twice so if you already executed mount /dev/sda4 on the host, it should generally be fine to execute mount /dev/sda4 in the container. The result will be the same as if you had used a bind mount.

Improve this answer
11
  • I already tried with mounting with container pid. The problem with that is when I do it on VM it works, but it looks like some platform fs driver does not support mounting filesystems inside different userns. To do that I would require FS_USERNS_MOUNT. And it is not set. So when I try to mount inside container on my platform I get "Operation not permitted". About mounting twice I can try doing that. Commented Jun 23, 2020 at 11:20
  • @Koczek that's quite an important detail which could have been in your question. To be clear did that happen when you attempted a bind mount or re-mounting as discussed at the end of my answer? Could you also identify which drivers don't work? Commented Jun 23, 2020 at 11:27
  • This is part of longer problem. I would like to loopmount some file inside container. Container is not privliged. So inside of host I am creating loopmount attach it to file. If I try then to bind mount dev/loop0 to /container_rootfs inside container mount namespace I get "Operation not permitted" (on VM it works fine on my platform it doesn't probably due to this FS_USERNS_MOUNT). If I try to mount this loop device in host to temp and then mount temp inside container it is not "seen" inside container (probably due to the different namespaces) Commented Jun 23, 2020 at 11:48
  • File format is Ext4, the host system is sadly Yocto linux to specific platform which I cannot share. For testing I use Vagrant VM. But if you are able to create loopmount inside host (after creation of container), and then make it available inside said container then I would be happy. Commented Jun 23, 2020 at 12:10
  • 1
    BTW, if you are using crun, --pid-file which you mentioned is generated later in oci life cycle, if you need pid on i.e. CreateRuntime hook you can use json which is provided to container stdin. Just read stdin and inside should be json which contains pid of container. Commented Jun 23, 2020 at 12:18

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.